The hack took place after the project’s community manager, Boris Vagnerhad his Discord account compromised, which the attacker then used to post phishing links in the Discord channels of the official BAYC and its related metaverse project called Otherside.
News of the hack was first reported by the Twitter user @NFTherderwhich also estimates that 145 ETH (about $260,000) was stolen with NFTs, and which traced the stolen funds to four separate wallets.
🚨BAYC & OtherSide discord got compromised‼️
Seems because Community Manager @BorisVagner got his account breached, which let the scammers execute their phishing attack. Over 145E in was stolen
Proper permissions could prevent this pic.twitter.com/lCl2DfZQ0W
— OKHotshot (@NFTherder) June 4, 2022
Yuga Labs later confirmed the exploit in a tweet of its own, saying it is still actively investigating the incident. He did so 11 hours after NFTHerder’s tweet.
Mr Vagner is also the manager of his brother, Grammy-winning multi-instrumentalist Richard Vagner, who co-founded an NFT fantasy football club with Boris called Spoiled Banana Society (SPS). The attacker also posted a phishing link on SPS’s Discord channel, but the message was later deleted, Richard said.
“Hey @all we got hacked an hour ago hope no one clicked on a link“, said Richard Vagner in a Discord message at 09:00 UTC. “We took back control of Boris’s discord and account, thank goodness he didn’t delete the whole server“.
It’s unclear if anyone in the SBS channel was affected, though Richard asked Discord members for information related to the attack.
“We will restore all tabs in the coming days and let you know if there is anything else he changed“, did he declare.
The Vagners also run a music label called Metaverse Records. In the same SBS Discord post, Richard independently confirmed that the BAYC and Otherside Discords have also been “pirated“.
“Please stay safe“, he wrote.
This is the third time a hacker has managed to impersonate an account managed by Yuga Labs in order to steal user funds. The first time was April 1, when Mutant Ape Yacht Club #8662 was stolen through a phishing link posted in the project’s Discord, and the second time was April 25, after Instagram accounts and Bored Ape Yacht Club’s Discord posted a fake link to an Otherside coinage.
Last week, actor Seth Green became a stark example of the kind of phishing that is rampant in the NFT industry, when someone managed to scam him out of his Bored Ape.
In response to Saturday’s incident, one of BAYC’s founders blamed Discord for the lack of security.
“Discord not working for Web 3 communities“, said Gordon Goner in a tweet. “We need a better platform that puts security first. ”
Discord isn’t working for web3 communities. We need a better platform that puts security first.
— GordonGoner.eth (@GordonGoner) June 4, 2022
However, another crypto project founder blamed the users themselves for compromising their wallets.
” You lost your NFT because you signed a malicious transaction with your key “, wrote Steve Fink. ” Stop blaming Discord, another client won’t save you from repeating the same mistakes. ”
you didn’t lose your NFT because you used Discord
you lost your NFT because you signed a malicious transaction with your key
stop blaming Discord, another client won’t save you from repeating the same mistakes
— evets.eth ⌐◨-◨ (@stevefink) June 4, 2022